Threat of the Week: Time to Disconnect Android Phones?

The news could not get worse. A week ago security firm BlueBox announced it had found a “master key” vulnerability – affecting 99% of Android phones – that theoretically would enable a cybercriminal to transform just about any app into malware.

On its face, that says almost all Android phones are ticking time bombs and so the rumbling has started that just maybe credit unions and other financial institutions should politely but firmly advise their members to take their Androids elsewhere.

But there is more to this story and, indeed, Android vulnerabilities are real but few security experts are urging outright bans.

For starters: Google now says it has rolled out a patch to its partners, which means phone makers and carriers will shortly distribute the fix.

What’s more, Jeff Forristal, chief technology officer at BlueBox, the company that discovered the Android vulnerability, said in an interview that, to his mind, a sharper question than would you use an Android is would you use a Windows computer for online banking?

Added Forristal: “Just because there is a potential for risk does not mean the risk will be realized.”

In the case of the master key vulnerability, Forristal stressed, “We have discovered no proof that this has been exploited.”

Most other experts sing the same tune: Android is fine, though users need to practice safe surfing and downloading.

“Currently the infection rate for Android phones is much lower than the PC infection rate, making Android a much safer tool for online banking,” said Alex Bobotek, co-chairman of the Messaging, Malware and Mobile Anti-Abuse Working Group, an industry body. He added, “So here's the best safe mobile banking strategy: put a password on your phone and think before you click.”

A fact: there are literally millions of Android apps infected with malware – the Anti-Phishing Working Group recently reported over 1.3 million confirmed-malicious files for the platform – while comparable infection rates for iPhone apps is much lower, mainly because the Apple Apps Store is the only place to download apps, whereas Android apps are available anywhere.

That openness has given criminals a freedom to stock the pond with bad apps. But many of these bad apps are available only in Russian, or Chinese, and infection rates in the U.S. are thought by most experts to be much lower.

It's also simple to sidestep most of this malware, wherever it is.

“There are risks with Android,” stressed Rohit Sethi, a vice president at Security Compass. “But if you are careful the risks are overblown.”

He specifically cautioned users to only download apps from the leading Android apps stores –

Google Play and Amazon Appstore. Another precaution is only to download apps that have already been downloaded thousands of times – there are risks in being a first adopter because often it is users who sound the alert about bad Android apps.

Meantime, George Tubin, a security consultant with Trusteer, stressed that many financial institutions are taking steps to proactively deliver more protection to mobile banking customers by implementing tools that unobtrusively inspect a member’s phone for installed malware that could compromise mobile banking sessions. Key to this is that the checking happens behind the scenes, with no requirement for user involvement.

Take steps like that, said Tubin, and both the financial institution and its members can proceed with a high level of confidence in the safety of mobile banking sessions.

Bottom line: Android phones now claim over 50% of the smartphone market in the U.S. and, with hundreds of devices and availability at just about every price point, no expert is predicting significant share erosion. Android rules the smartphone world and that means it is incumbent on credit unions to learn to live – safely – with them.